I'm using Truecrypt and I have multiple volumes on multiple computers. Keeping each of the 20+ character passwords straight is getting complicated, so I want to use keyfiles. Since the password is being combined with 1024 bytes from the keyfile, does it matter if my password is "dog"? Does a keyfile (say, a compressed file with lots of crazy characters) with a short password have the same brute force protection as a complex 20+ character password? I'm assuming no one has access to my keyfiles.

5 Answers
5

If you think the keyfiles are secure, then no password is needed, if you can not have the risk of the keyfiles leaking, then you need to password protect them with a strong password. No password or a weak password is practically the same.

You can store your keyfiles within another truecrypt volume with a strong password, this way you only need to remember one password and your keyfiles are secure.

I disagree with the last part. If you're storing the keyfiles in another TrueCrypt volume, it's relatively easy to write forensics heuristics to detect high-entropy files without known headers (e.g. RAR / JPEG) to find the other volume. Then it's just a case of cracking the weak password.
–
PolynomialAug 11 '12 at 19:55

1

I disagree, you would still be able to find encrypted volumes with forensic tools and would still know something is interesting in there since it's an encrypted password protected volume. So you'll end up bruteforcing it anyway. If you would use a weak password and saying it becomes harder to find, then you are dealing with security through obscurity.
–
Lucas KauffmanAug 12 '12 at 7:51

I'm confused. You seem to have said you disagree with me, then made the same point I did. What?
–
PolynomialAug 12 '12 at 8:37

1

@Polynomial Your first comment doesn't make sense to me. Lucas suggested keeping the keyfiles in a volume with a strong password, so what weak password would there be to crack? The attacker could only find the keyfile by reading the volume with the strong password.
–
GillesAug 12 '12 at 18:34

1

@Gilles Then why not use a strong password on the volume and store the keyfiles on a USB stick, unencrypted? The whole point of TC's keyfiles is to provide two-factor authentication.
–
PolynomialAug 12 '12 at 22:43

If no-one has access to your keyfiles, then no-one is getting access to your data.

Passwords are used here as an extra layer of "what if the key is leaked" protection. If the keyfile is absolutely secure (speaking theoretically here!) then so is the data.

I have a number of volumes secured purely by keyfiles, with no password at all, where the chance of the key leaking is minimal. Note that this may or may not be a reasonable assumption, depending exactly on your situation - I use it for encrypting my backups (each machine has an independent key, stored on the machine, which it uses to mount a TC volume before backing up to it - which needs to be done without manual intervention, which precludes a password).

tl;dr - use a strong password, and complement this with keyfiles if possible.

In terms of cryptography, it is computationally infeasible break into your TrueCrypt volume without having both the password and the keyfiles. Fundamentally, the decryption key is an xor combination of the hash of the password and the hash of the keyfiles. However, this does not mean that you get the same practical security from both types of key material.

TrueCrypt's keyfiles are part of a two-factor authentication scheme. The password is something you know, the keyfiles are something you have. In most cases, something you know is much stronger than something you have - people can steal your belongings, but it's much more difficult to steal your knowledge. A combination of the two allows for strong security.

As such, relying only on keyfiles for security is probably a bad idea. You're limited to security-through-obscurity techniques, where you try to hide the keyfiles. If you store them on your hard disk, forensic analysis of your disk will usually be able to locate your keyfiles. If you store them on a USB stick or flash card, a thorough search of your house / person will probably result in an attacker finding them.

Using a weak password on your main volume, then encrypting your keyfiles with a strong password is pointless - at that point you should just use a strong password on the main volume, and leave the keyfiles unencrypted.

There are at least the following problems with TrueCrypt keyfile implementations:
Keyfile parsing ignores data beyond first 1MB. In three-factor authentication (something you have{keyfile}, something you know{password} and somethign you are {biometrics}), when being less or more connected to the internet, you might want to be able to detect file traffic of your files from your most acessed directory, i.e. the one with keyfiles.Large files cannot be stored hidden in a bootsector using Evil Maid style attack etc, therefore you want the keyfiles to be large. Veracrypt and Truecrypt both have this problem of 1MB limit per file (the rest is ignored),such files are easily transmitted over the network without even decreasing your bandwidth as a warning telltale.

Second problem is that truecrypt keyfile parsing algorithm uses CRC32 instead of SHA256 or better, therefore appending CRC32 value at the end of most of your files (active preemptive attack on keyfiles), BEFORE you use them as a 'new fresh keyfile', might nullify the keyfile output, rendering you vulnerable when you switch unknowingly to a new keyfile thinking it will add something fresh to teh password. Keepass, Diskcryptor do not have this problem.

Third problem is that keyfile processing is not stating with password or salt, therefore if you by accident use short password and the same keyfile TWICE, from the attackers standpoint, he would never need to recalculate the keyfile again over entire file, but rather stay with the same known CRC32 spread over 64bytes of pattern unique to a given file. In other words, in order to get all possible keyfile contributions to password from your filesystem you need 64 bytes of data per each file, and that you can do silently with backdoored online antivirus! This problem is shared by Veracrypt, Discryptor and Keepass and probably all open source encryption software. The proper implementation would be HASH(HASH(HASH(HASH(salt) ^ HASH(password)) ^ keyfile[block_0]), keyfile[block_1], ...), a nested set of calls starting with salt and password so if either one changes, while even assuming broken RNG at least password could change, you should recalculate entire routine along a keyfile. Only then keyfile method would be really strong, because the attacker must have entire, potentially heavy file in order to make its brute force attack.
What is often overlooked is that short keyfiles of minimal length (64 bytes) are easily detectable, are potentially exposing RNG weaknesses in lower bits, and their randomness (high per byte) is not comparable with a typical file whose entropy is very low per kilobyte. This is another reason you want >1MB-sized files, besides that they are more difficult to steal or transport undetected via internet.

All said, it is very good to use keyfile as second factor as it doesnt gives a password entirely for free if you have been attacked by a keylogger.

When using windows, there is an interesting plugin to keepass that allows mounting truecrypt wolumes and enter keyfile path without typing it, while using two-channel obfuscation. This makes you immune to most clipboard grabbers, screengrabbers, sound recording keyboard analysis and all popular keyloggers.
If the directory name is long and random, they keyfile name is not even shown (because the path is too long) so you are immune to screengrabber attack regarding which file is the keyfile, among several in a very fat directory.
Because KeePass uses SecureDesktop, then you have more immunity to keyloggers by launching Keepass manager (that can use known location for a keyfile, stored in registry), then launch truecrypt directly from it (again entering another keyfile as truecrypt input).

What is cool is that you can keep the keyfile on USB stick encrypted with Bitlocker on The Go then with EFS on per-file basis. Removeable USB volume as a whole can be conveniently mounted automatically by the Windows, and the latter, per-file encryption is working only when specific windows user is logged in. So another user hacking into windows machine will not even be able to access those keyfiles, and once you log out or lock your console (requires EFS configuration in gpedit.msc), encryption keys for EFS will not even be in memory (coldboot attack agains keyfiles - secured). Moreover if you put those files on USB or SD card, you can remove it easily after mounting the volumes, limiting their exposure within working system.
Such SD card or USB key could be disposed off in seconds, guaranteeing that it won't be stolen by determined adversary. Then your data will be safe even if you tell the password while on drugs, what is good because you can consume drugs for free. Don't forget to keep several copies of keyfile deep in the forest.

The use of keyfiles is insecure. They doesn't weaken the security supplied by the password
used in conjunction with a keyfile but if a weak or even empty password is used with key
files you are no longer secure.